Information Privacy Policy

Policy Corporate Governance Information Privacy Policy

Print Friendly and PDFPrint Friendly

Intent

To specify the right of access to, and amendment of, personal information collected by the University.

Scope

This policy applies to all University staff, students, contractors and any other third party who collects or manages personal information on behalf of the University.

Definitions

RTI Act – Right to Information Act (Qld) 2009

IP Act – Information Privacy Act (Qld) 2009

Document - The Queensland Right to Information Act 2009 (RTI Act) defines a document as "a document, other than a document to which the RTI Act does not apply, in the possession, or under the control, of the University whether brought into existence or received in the University, and includes –

(a) a document to which the University is entitled to access and

(b) a document in the possession, or under the control, of an officer of the University in the officer’s official capacity."

Documents may be in hard copy or electronic format and include files, reports, emails, correspondence, computer printouts, maps, plans, photographs, and audio and video recordings.

Administrative release - refers to access to information, in full or in part, in certain types of administrative or operational records. Such records are generally released as a matter of course, in response to a request, without the need for a formal application under legislative authority such as the RTI and IP Acts.

Policy

Background

The Information Privacy Act 2009 (IP Act) provides individuals with a legally enforceable right of access to, and amendment of, their own personal information held by the University, unless this would, on balance, be contrary to the public interest. James Cook University is defined as a public authority under the IP Act and is therefore subject to the requirements of the Act.

Requests for non-personal information or for the personal information of others are dealt with under the terms of the Queensland Right to Information Act 2009, as outlined in the University's Right to Information Policy.

Collection and Management of Personal Information

JCU collects personal information to enable it to function effectively. Any personal information collected by the University is managed in accordance with the eleven Information Privacy Principles (IPPs) as set out in the IP Act. JCU is committed to an open environment which enables the general public, students and staff to access University documents that contain their own personal information without the need to make a formal IP Act request. In certain circumstances the University will release information administratively.

JCU collects the following types of personal information:

  • student records, such as enrolment, academic performance, graduation, welfare and equity group information;

  • employment records, such as recruitment and appointment, leave, payroll and superannuation information, performance management and discipline;

  • financial and business records, such as personal accounting information;

  • information technology records, such as internal and external telephone, email and internet activity records;

  • research participant records;

  • alumni and donor records;

  • library records; and

  • other records such as committee membership contact and personal details.

Day to day access to the personal information of others is restricted to staff in the organisational unit that requires access e.g. Human Resources staff have access to employment records.

Personal data will also be used to assist in the provision of the following activities and services:

  • education ;

  • employment (references, sickness records);

  • research;

  • support services;

  • statutory, statistical and questionnaire returns;

  • alumni relations;

  • financial records; and

  • security and crime prevention.

JCU may in certain circumstances transfer personal information interstate or overseas e.g. information may be transferred off-shore for storage by contracted IT service providers. Where JCU transfers personal information interstate or overseas it will:

  1. comply with those provisions of the Queensland Information Privacy Act 2009 that relate to transborder data flows: and

  2. take all reasonable steps to ensure that third party service providers do not use or disclose transferred personal information for a purpose other than that for which it was collected by JCU. JCU will do this primarily by entering into legally binding contracts with service providers which require compliance with the Information Privacy Principles contained in the Information Privacy Act.

Release of Personal Information

The University has in place mechanisms and normal administrative practices to handle routine requests for access to information such as academic transcripts, or for alterations to information such as changes of address. Individuals wishing to obtain access to, or amend, information about themselves, should contact the relevant officer in the area in which the information is held or the Privacy Decision-Maker, Governance & Corporate Services, James Cook University, Townsville QLD 4811.

The personal information of staff and students will not be released without their written consent except in the following instances:

1. where it is a matter of public record, (eg awards conferred);

2. where it relates to a person's University contact details as provided through the JCU website;

3. where requisite information is made available to professional regulatory bodies as part of the registration requirements of those bodies (eg state medical boards, teaching regulatory bodies);

4. where a request is made in accordance with a legislative or statutory provision (eg requests by Centrelink, made under an Act or Statute, for details regarding the enrolment status of students;

5. where an official written request has been received from a law enforcement agency in relation to a legal process;

6. where a legally enforceable request or direction has been received (eg subpoenas or writs issued by a court); or

7. where disclosure is necessary to prevent or lessen a serious threat to a person's life, health, safety or welfare, or to public health, safety or welfare.

A record of all personal information released will be kept. Under the Information Privacy Act, an individual has the right of access to documents held by the University which contain that individual’s personal information, and has the right to amend that information, if it is inaccurate, misleading, incomplete or out of date.

The Act provides that access to certain documents or to certain information contained in documents may be refused in order to protect public interests or the private or business affairs of others. A request to obtain access to documents which contain information about the private affairs of others will usually be refused.

The University may also refuse access to documents on the grounds that there would be a substantial and unreasonable workload in identifying, locating and collating the volume of documents in question.

If a request for access or amendment is refused, the University will give specific written reasons for the decision and advise the applicant of their rights to appeal against the decision.

Decision Making

The Vice-Chancellor is defined as the “principal officer” under the IP Act. The Vice-Chancellor has delegated the responsibility for determining the outcome of IP Act applications to the Deputy Director, Governance Support and Corporate Information.

The Deputy Director, Governance Support and Corporate Information is responsible for making decisions regarding release of documents within the time periods as set out in the Information Privacy Act and liaise with both prospective applicants and University units regarding access to documents.

Officers in charge of individual University units, or their Records Management Coordinators, are responsible for locating information held in their areas. If information cannot be located, a written explanation of what action was taken to locate the information will be provided to the Deputy Director, Governance Support and Corporate Information.

The Director, Governance Services and University Secretary, as Internal Review Officer, is responsible for the internal review of decisions made by the Deputy Director, Governance Support and Corporate Information, if requested by the applicant.

Making Requests for Access to Personal Information

An IP Act request by a person, for access to their own personal information, must be made using the appropriate form. An applicant should obtain an application form from the Information Privacy webpage and post or deliver the application to:

Deputy Director, Governance Support and Corporate Information (Privacy Decision Maker)

Governance and Corporate Services Office,

James Cook University,

Townsville, Qld 4811

Response to requests for access

The University is required to acknowledge receipt of the request within 10 business days, to consult with the applicant regarding any difficulties in dealing with the request, and either grant access to the documents or provide specific written reasons for refusing access within 25 business days. This may be extended by a further 10 business days if consultation with a third party is required.

If inspection only of documents has been requested the applicant will be provided with reading facilities. At the applicant's request, the University will provide a copy of the documents, where possible, in the format requested.

Charges

There is no charge for access to, or amendment of, personal information. There may be charges for copies of documents or other services. Where hardship can be demonstrated these fees may be waived.

Appeal

The IP Act gives members of the public a legally enforceable right to appeal against a refusal by the University to grant access to, or to amend, personal information.

Internal Review

If the decision on an IP Act request was made by a University officer other than the Vice-Chancellor, an applicant may request the University to reconsider its decision. An applicant may however apply directly for external review without first seeking internal review.

An application for internal review must be lodged in writing within twenty business days of notification of the decision stating reasons for seeking amendment of the decision or identifying particular aspects of the decision which are of concern, and must be lodged with:

The IP Internal Reviewer,

Governance & Corporate Services Office,

James Cook University,

Townsville, Qld 4811.

A fresh decision will be made as soon as practicable, but no longer than twenty business days after the application is received, by the RTI Internal Reviewer. Reasons will be given if the appeal against the original decision is not upheld. Applicants will also be advised of their rights to seek external review.  Where the Internal Review Officer fails to make a decision within the prescribed timeline, it will be deemed that they have made a decision re-affirming the original decision.

External Review

The Information Commissioner is an independent person responsible for reviewing the IP Act decisions of all agencies.

An application to the Commissioner for external review may be made if:

  • the request was decided originally by the Vice-Chancellor;

  • an applicant is dissatisfied with the outcome of an internal review; or

  • the Internal Review Officer fails to make a decision within the prescribed timeline.

An application for external review must be made in writing within twenty business days of the notification of the decision or outcome of internal review.

Further information and contacts are available on the Information Privacy webpage.

Third-Party Requests for Personal Information in Relation to Legal Processes

From time to time, third parties, such as the Queensland Police, legal representatives and others submit requests for personal information in relation to legal processes.

Information will only be provided to legal representatives where a subpoena or writ of non-party disclosure is provided, or where the individual to whom the request relates has provided written consent.

Where law enforcement agencies (eg the Police) or third parties wish to request personal information regarding a student, then this request must be submitted in writing by an authorised officer, quoting the Act or Statute under which the request is made, and addressed to the Director, Student & Academic Services or nominee.

Where law enforcement agencies (eg the Police) or third parties wish to request personal information regarding a member of staff, then this request must be submitted in writing by an authorised officer, quoting the Act or Statute under which the request is made, and addressed to the Director, Human Resources Management or nominee.

Procedure:  Privacy Complaints Procedure

Procedure

Responsibility

Timeline

If individuals believe that their personal information has not been dealt with in accordance with the Information Privacy Act 2009, they may make a complaint to the Privacy Decision-Maker at the University. The complaint must be made in writing. Complaints should be forwarded to the Privacy Decision-Maker, Governance & Corporate Services, James Cook University, Townsville QLD 4811.  (See Note 1 below.)

Complainant

Up to twelve months from the date when the breach was suspected to have occurred.

Complaints will be acknowledged in writing.

Privacy Decision-Maker

Within 10 business days from the date on which the complaint was received.

The complaint will be processed and the complainant will be advised in writing of the decision.

Privacy Decision-Maker

Within 45 business days from the date on which the complaint was received.

If applicants are not satisfied with the decision they may apply in writing to the Privacy Decision-Maker for internal review of the initial decision.

Complainant

Within 20 business days of the complainant receiving the initial complaint decision.

The internal review will be carried out and the complainant will be advised in writing of the review decision.

Internal Review Officer

Within 20 business days of the date of receipt of application for internal review.

Note 1:  The Information Commissioner's Office requires that any complaints first be lodged with the University, and that the Information Commissioner will not hear complaints after twelve months has lapsed from the date of alleged breach of privacy.

Related documents, legislation or JCU Statutes

Information   Privacy Act 2009

Right to Information Act 2009

Privacy and Right to Information Guidelines

Fact Sheet Privacy and Right to Information

Statement on the Use of Communication Facilities

Records Management Policy

Records Management Framework

Procedures for Dealing with an Information Request

Approval Details

Policy sponsor:

Director, Governance Services & University Secretary

Approval authority:

Vice-Chancellor

Version no:

13-1

Date for next review:

16/02/2016

Modification History

Version no.

Approval date

Implementation date

Details

13-1

25/06/2013

26/05/2013

Minor amendments – updated to reflect changes in job title (from Manger to Deputy Director) and the fact that Information Privacy is dealt with solely by the Governance Support Unit.

11 - 1

16/02/2011

17/02/2011